5.5
CVE-2026-31664 - xfrm: clear trailing padding in build_polexpire()
In the Linux kernel, the following vulnerability has been resolved: xfrm: clear trailing padding in build_polexpire() build_expire() clears the trailing padding bytes of struct xfrm_user_expire after setting the hard field via memset_after(), but the analogous function build_polexpire() does not β¦
7.8
CVE-2026-31602 - ALSA: ctxfi: Limit PTP to a single page
In the Linux kernel, the following vulnerability has been resolved: ALSA: ctxfi: Limit PTP to a single page Commit 391e69143d0a increased CT_PTP_NUM from 1 to 4 to support 256 playback streams, but the additional pages are not used by the card correctly. The CT20K2 hardware already has multiple Vβ¦
5.5
CVE-2026-31573 - media: verisilicon: Fix kernel panic due to __initconst misuse
In the Linux kernel, the following vulnerability has been resolved: media: verisilicon: Fix kernel panic due to __initconst misuse Fix a kernel panic when probing the driver as a module: Unable to handle kernel paging request at virtual address ffffd9c18eb05000 of_find_matching_node_and_maβ¦
5.5
CVE-2026-31565 - RDMA/irdma: Fix deadlock during netdev reset with active connections
In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Fix deadlock during netdev reset with active connections Resolve deadlock that occurs when user executes netdev reset while RDMA applications (e.g., rping) are active. The netdev reset causes ice driver to remove irdmβ¦
0.0
CVE-2026-31540 - drm/i915/gt: Check set_default_submission() before deferencing
In the Linux kernel, the following vulnerability has been resolved: drm/i915/gt: Check set_default_submission() before deferencing When the i915 driver firmware binaries are not present, the set_default_submission pointer is not set. This pointer is dereferenced during suspend anyways. Add a cheβ¦
7.8
CVE-2026-31578 - media: as102: fix to not free memory after the device is registered in as102_usb_probe()
In the Linux kernel, the following vulnerability has been resolved: media: as102: fix to not free memory after the device is registered in as102_usb_probe() In as102_usb driver, the following race condition occurs: ``` CPU0 CPU1 as102_usb_probe() kzalloc(); // alloc as102_dev_t .... β¦
7.8
CVE-2026-31582 - hwmon: (powerz) Fix use-after-free on USB disconnect
In the Linux kernel, the following vulnerability has been resolved: hwmon: (powerz) Fix use-after-free on USB disconnect After powerz_disconnect() frees the URB and releases the mutex, a subsequent powerz_read() call can acquire the mutex and call powerz_read_data(), which dereferences the freed β¦
5.5
CVE-2026-31616 - usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete()
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_phonet: fix skb frags[] overflow in pn_rx_complete() A broken/bored/mean USB host can overflow the skb_shared_info->frags[] array on a Linux gadget exposing a Phonet function by sending an unbounded sequence of fulβ¦
5.5
CVE-2026-31615 - usb: gadget: renesas_usb3: validate endpoint index in standard request handlers
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: renesas_usb3: validate endpoint index in standard request handlers The GET_STATUS and SET/CLEAR_FEATURE handlers extract the endpoint number from the host-supplied wIndex without any sort of validation. Fix this up bβ¦
7.8
CVE-2026-31587 - ASoC: qcom: q6apm: move component registration to unmanaged version
In the Linux kernel, the following vulnerability has been resolved: ASoC: qcom: q6apm: move component registration to unmanaged version q6apm component registers dais dynamically from ASoC toplology, which are allocated using device managed version apis. Allocating both component and dynamic daisβ¦